Meeting critical automotive safety standards: a case for automated FMEDA
01 October 2020
The safety & comfort of cars has increased dramatically over the past decade. Nowadays, even economy class vehicles feature advanced driver-assistance systems (ADAS) that, in certain conditions, can control not only acceleration & braking, but also steering.
This article was originally featured in the October 2020 issue of EPDT magazine [read the digital issue]. Sign up to receive your own copy each month.
Fully autonomous vehicles are on the horizon – and although it is not clear when and how deployment will start, technology is moving fast. Established automotive manufacturers are investing heavily in machine learning (ML) and other artificial intelligence (AI) fields. Meanwhile, new players are crowding this space, attracted by what is largely expected to be a booming, disruptive technology. Sergio Marchese, Technical Marketing Manager at IC integrity verification expert, OneSpin Solutions discusses the implications for assessing the safety of automotive chips.
Complex electronic systems are at the heart of automotive innovation. While traditional car manufacturers have enormous experience in ‘bending metal’ and designing internal combustion engines, they rely on automotive original equipment manufacturers (OEMs) and tier 1 suppliers for the dozens of electronic control units (ECUs) and associated software that make modern vehicles safe, secure, energy-efficient, comfortable – and generally ‘smart’. Automotive application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs) and systems-on-chip (SoCs) designed and produced by companies like Infineon, Renesas, NXP and Bosch are ever more crucial in ensuring the long-term commercial success of car manufacturers.
Tesla, one of the most innovative companies in the world, has recently made headlines in the semiconductor industry. Despite not having previous hardware development capabilities, it decided to develop its own, highly specialised chip. Tesla’s full self-driving (FSD) chip, presented in April 2019, includes two neural network accelerators (NNAs) developed in house. It also integrates third-party intellectual properties (IPs), including a graphics processing unit (GPU) and an Arm-based central processing unit (CPU) subsystem.
Tesla claims that its FSD computer, already deployed in production and based on a board that includes two FSD chips, is 21x faster than its previous, NVIDIA-based solution – and capable of processing 2,300 frames per second within a tight power envelope. According to Tesla, the FSD computer will be able to support autonomous driving once software catches up.
Analysing & quantifying the risk of silicon failures
Shrinking transistor geometries, aggressive power consumption targets and complex functional requirements increase the risk of integrated circuits (ICs) malfunctioning in the field. Electromigration, cosmic rays, aging and other physical effects can permanently or temporarily corrupt the behaviour of hardware functions. Random hardware failures may give raise to hazardous events that could result in damage to property – or even loss of human life.
The ISO 26262 functional safety standard defines requirements that encompass development, production and decommissioning of electronic systems for road vehicles. The standard specifies four automotive safety integrity levels (ASILs), from ASIL A to ASIL D, with ASIL D being the most stringent.
A central concept in ISO 26262 is that of safety goals: random hardware failures may lead to violation of safety goals. Automotive ASICs/FPGAs/SoCs include safety mechanisms that prevent or control random hardware failures. Engineers must list potential failure modes and provide evidence that the target ASIL has been achieved.
As a chip may be used in a variety of applications, it is often referred to as safety element out of context (SEooC), and it is accompanied by a safety manual that specifies its assumptions of use. The safety architecture of modern automotive chips is complex and typically features a variety of safety mechanisms, including software self-test, redundancy, lock-step processors, and parity or error-correcting code (ECC) for memory protection. FMEDA (failure modes, effects and diagnostic analysis) is an analytical method to assess the safety architecture and implementation.
The FMEDA process has three crucial steps: (1) validation of the safety architecture and partitioning of hardware functions and faults according to failure modes; (2) determination of the diagnostic coverage, which measures the ability of safety mechanisms to prevent safety goal violations; and (3) computation of the ISO 26262 hardware safety metrics, namely the single-point fault metric (SPFM), the latent fault metric (LFM) and the probabilistic metric for random hardware failures (PMHF).
SoC and IP developers often use sub-optimal FMEDA flows. They rely on manual analysis from expert engineers, as well as effort-intensive fault injection and simulation of design models at the register-transfer level (RTL), or gate-level netlist. Some large companies develop in-house tools to automate portions of the flow. These methods are error-prone, require excessive computational resources and entail long iteration cycles. Internal tools are hard to maintain and productise, as that requires providing high-quality documentation, training and support. Engineers demand structured, systematic approaches to identify failure modes, perform a quick analysis of the safety architecture to detect shortcomings and areas of low diagnostic coverage, and estimate failure in time (FIT) rates and the other safety metrics.
While manual analysis and ‘brute-force’ fault simulation could have been acceptable in the early days of ISO 26262 (first released in 2011), as methods mature and reach widespread adoption, there is a need for high-quality tools and automated solutions that are easy to use, rigorous and scalable.
Electronic design automation (EDA) companies have extensive expertise in automated processing of chip design models for functional verification, implementation and other hardware development steps. They are well positioned to also automate FMEDA and other safety compliance tasks. In fact, certain EDA companies have recently started commercialising FMEDA automation solutions that can be applied out-of-the-box or customised to fit specific needs and enhance existing flows. Under the hood, they leverage expertise gained from supporting multiple automotive customers; this is particularly valuable, as that gives access to a variety of projects and multiple design analysis engines, including fault injection, formal methods and structural analysis.
High-integrity automotive chips
Modern ASICs/FPGAs/SoCs are exposed to the occurrence of faults during operation. FMEDA and ISO 26262 compliance are crucial to developing high-integrity automotive ICs that are not only functionally correct and secure, but also safe with respect to random hardware failures.
Automated solutions, enabled by EDA tools specifically developed for this purpose, can make the FMEDA process more rigorous, while reducing its cost. New providers of automotive hardware can deploy commercial FMEDA solutions out-of-the-box. Established players may customise the technology and integrate it into their existing flows. For more information on how to automate the FMEDA process and reduce expensive fault simulation, visit onespin.com/fmeda
Contact Details and Archive...